Define, educate, prevent: Avoiding data loss is easier than you may think

Most organizations believe they aren't in danger of losing data, but as recent news demonstrates, the threat is real and no organization is immune.

In a recent CDW report on threat prevention, data loss emerged as the No. 1 cybersecurity challenge faced by medium and large businesses. Fully 37 per cent of IT security decision makers surveyed for the report cited data loss as "the next big security threat" their organizations face, naming it a bigger threat than viruses, worms, malicious attacks and botnets.

Just envisioning the potential consequences of data loss is enough to keep executives up at night. Data loss of any kind can damage an organization in countless ways. From a simple hard-cost standpoint (forensics, notification, credit protection, etc.), data loss is expensive, costing an estimated average of $200 per record breached, or an average of $6.8 million per total breach, according to a recent Ponemon Institute survey.

The first step to prevent data loss is to accept that data loss is a real problem. Truly solving the problem can be boiled down to three simple concepts: define/baseline, educate and enforce.

Define data and create a baseline

This is not the typical, monstrously large (and perpetually doomed-to-failure) information classification project that so many IT organizations have undertaken and then abandoned. The key to success is to draw a distinction between confidential information (e.g. Social Security numbers) and confidential documents (such as a file containing Social Security numbers).

In today's IT world, nearly everyone is an information worker. In the course of business, people make copies of files, create reports, post them to SharePoint sites, etc. Trying to categorize information at the document level is typically prohibitively difficult because these documents are rapidly moving targets.

That said, the definition of "confidential" is usually straightforward. The simple data points that allow for fraudulent monetization of data (first and last name, address, Social Security number, credit card number, driver's license number, banking information, etc.), as well as data protected by regulation (e.g. HIPAA), are the minimum any organization should protect.

But every organization also has business critical data. Examples include the trading algorithm that was almost stolen from a well-known investment banking firm, the next quarter's sales pipeline for a reseller, pre-product-launch research data for a biomed firm or the source-code for a product at a software company.

Your next step should be to define what "business critical confidential" means to your organization. In the simplest terms, that definition should be measured against three standards:

➢ Would the loss of this information materially affect revenue and profitability?

➢ Would your organization's leadership want to be informed of a leak?

➢ Would your organization's leadership take action if informed of a leak?

In some ways, these are three separate questions driving to the same concept, but in a practical sense, applying all three questions enables organizations to cut through noise and churn, to focus on the true heart of "business critical confidential."

Once this definition is established, the second step is to measure the business against that definition, to gain clarity regarding the real risks. The areas of greatest concern do not necessarily overlap the areas of greatest exposure. In many cases, the single greatest exposure existing in an organization can be easily remedied by altering a single business process. The areas of greater concern are the ones that are harder to control.

Educate your organization and address problems

"Information security policy" -- have the shivers yet? A tremendous amount of research and effort goes into crafting an organization's information security policy. There are legal and liability reasons for much of what a typical information security policy covers. Unfortunately, in a practical sense, dozens (or hundreds) of pages covering a large amount of ground do not assist the typical information worker in making daily judgment calls on how to use and store confidential information.

Once the definition of "confidential" is determined and the use of confidential information has been measured, the next step is to use that insight to author a practical and concise policy. Your goal should be to keep the policy under a half-page in length, and to use it to define, in stereotypical "30 second elevator conversation," what data is confidential, and how it should be used.

As early adopters in the industry take on data loss prevention projects, there are many indications that clear, concise communication, coupled with education, can reduce data loss incidents by more than 90 per cent.

Prevent data loss from occurring

If process change, user education and real-time notification can reduce risk by 90 per cent, technological enforcement can narrow the remaining 10 per cent. The real key, however, is to make security an ongoing priority. Invest wisely and consistently in security technology that is tailored to manage the specific risks your organization is likely to face.

One way to do this is to dedicate an internal or external resource to monitor and manage security issues, making sure that this resource reports to the appropriate stakeholders. This strategy allows you to monitor security risks in real time, keeping the organization informed and involved in the security of your data.

Data loss is a threat that will continue to weigh heavily on the minds of IT executives everywhere, but there are tested and proven ways to safeguard your organization. By defining your data, educating your staff and taking proactive measures to prevent data loss, you will be able to dramatically mitigate your risk of falling victim to this common security threat.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.